55

Here's my situation:

I'm trying to create a SSL certificate that will be installed on all developer's machine's, along with two internal servers (everything is non-production).

What do I need to do to create a certificate that can be installed in all of these places?

Right now I've got something along these lines, using the makecert application in Microsoft Visual Studio 8\SDK\v2.0\Bin:

makecert -r -pe -n "CN=MySite.com Dev" -b 01/01/2000 -e 01/01/2033 -eku 1.3.6.1.5.5.7.3.1 -ss Root -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 mycert.cer

However, I'm not sure as to how to place this .cer file on the other computers, and when I install it on my local machine IIS, everytime I visit a page via https:, I get the security prompt (even after I've installed the certificate). Has anyone done this before?

John
  • 17,163
  • 16
  • 65
  • 83

2 Answers2

141

Here are my scripts for doing this:

Create Certificate Authority

Create a self-signed certificate (-r), with an exportable private key (-pe), using SHA1 (-r), for signing (-sky signature). The private key is written to a file (-sv).

makecert -r -pe -n "CN=My Root Authority" -ss CA -sr CurrentUser ^
         -a sha1 -sky signature -cy authority -sv CA.pvk CA.cer

(^= allow batch command-line to wrap line)

Create Server Certificate

Create a server certificate, with an exportable private key (-pe), using SHA1 (-a) for key exchange (-sky exchange). It can be used as an SSL server certificate (-eku 1.3.6.1.5.5.7.3.1). The issuing certificate is in a file (-ic), as is the key (-iv). Use a particular crypto provider (-sp, -sy).

makecert -pe -n "CN=fqdn.of.server" -a sha1 -sky Exchange ^
         -eku 1.3.6.1.5.5.7.3.1 -ic CA.cer -iv CA.pvk ^
         -sp "Microsoft RSA SChannel Cryptographic Provider" ^
         -sy 12 -sv server.pvk server.cer

pvk2pfx -pvk server.pvk -spc server.cer -pfx server.pfx

You then use the .PFX file in your server app (or install it in IIS). Note that, by default, pvk2pfx doesn't apply a password to the output PFX file. You need to use the -po switch for that.

To make all of your client machines trust it, install CA.cer in their certificate stores (in the Trusted Root Authorities store). If you're on a domain, you can use Windows Group Policy to do this globally. If not, you can use the certmgr.msc MMC snapin, or the certutil command-line utility:

certutil -user -addstore Root CA.cer

To programmatically install the certificate in IIS 6.0, look at this Microsoft KB article. For IIS 7.0, I don't know.

John Leidegren
  • 59,920
  • 20
  • 131
  • 152
Roger Lipscombe
  • 89,048
  • 55
  • 235
  • 380
  • Here's where I'm stuck: How do you install the .PFX file in IIS? – John Jan 30 '09 at 19:22
  • I should qualify that: I can get it to work if I go into the certificate snap-in and import it to the personal folder... but is there a way to do that without going through that process? when I just double click on it and try that, it doesn't actually put the certificate in the folder – John Jan 30 '09 at 19:25
  • 3
    I'm following these steps and am able to create the pfx file however when I try to import the pfx file into IIS7 it says "The specified network password is not correct." Do you know how I can get it to import? Thanks – Tigran Sep 18 '09 at 00:14
  • 8
    Followup I just didn't enter anything for password and it imported it. – Tigran Sep 18 '09 at 00:55
  • 2
    @dscoduc nice tool, for Win7 it needs masty's argument (-cy authority) – Chris S Oct 13 '10 at 11:09
  • 3
    **For IIS7** this as easy as going to the IIS MMC -> server certificates -> right click -> create self signed certificate. Then add it to your site bindings. – Chris S Oct 13 '10 at 11:20
  • 1
    This is by far the most complete answer I have ever seen. Definitely a +1. – Jesse Nov 24 '10 at 15:03
  • 1
    For creating the server certificate I think you want to use the `-sk "somename"` parameter otherwise you'll end up with a blank name for the cert which looks strange in the cert store. – Chris Marisic Jul 27 '11 at 18:32
  • Even with my answer, above, I generally use PowerShell + BouncyCastle these days. It's more flexible than makecert. I should blog something about it.... – Roger Lipscombe Jan 23 '13 at 10:46
  • Under Visual Studio 2010 command window, I ran your 2nd script I could get pvk file but not the cer file. If I remove `-ic CA.cer -iv CA.pvk` I got both. Any reason? – hardywang Mar 11 '13 at 20:23
  • 1
    PowerShell + BouncyCastle: https://blog.differentpla.net/b/2013/31/17/how-do-i-use-bouncy-castle-from-powershell- and https://github.com/rlipscombe/PSBouncyCastle – Roger Lipscombe Apr 27 '13 at 07:51
  • Thanks heaps for this answer. It's the only one of several I have read that works. +1 I had to use the -po argument to set a password, without that the cer would not import into IIS. – Sam Sep 13 '13 at 05:18
  • +1 for a great answer. Helped me fix my problem http://stackoverflow.com/questions/23885449/unable-to-resolve-unable-to-get-local-issuer-certificate-using-git-on-windows. I found that I needed to install BOTH pfx's in IIS. Thanks for your help. – RichardHowells May 27 '14 at 15:03
12

You should add -cy authority to the switches when creating the cert authority, otherwise some cert stores won't see it as a proper CA.

masty
  • 1,539
  • 1
  • 17
  • 20